Are you meeting your perceived security obligations?

Three trending topics (The S.C. Hackingincident, Sophosvulnerabilities and the SEC lackof encryption) this week have me thinking about what security is obligatory; as well as what security response is defined as reasonable; and if that tide is rising across multiple verticals. The articles in both cases highlight existing disconnects across multiple audiences for expectations. When you combine the orientation of the articles, with the evolving law dialog about reasonable standard of care, the impact of this evolution is probably relevant to every company with a cyber presence.

I’m going to provide a lot of quotes from the various articles, for the purpose of identifying what feels like a set of trends in the tone of reporting. At the bottom, I’m going to talk about what I inferred of the tone in these quotes; and look at what that might mean for organizations.

1) Travis Ormandy (the security researcher who found the Sophos vulnerabilities) asserts that not Sophos should not have been shipping with the vulnerabilities, and once they were alerted:

2) Sophos should have been able to ship a fix sooner, and further posits that Sophos was “clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher. A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease.”

3) This leads him to conclude that “you should be willing and able to disable Sophos installations across your fleet; and exclude Sophos products from consideration for high value networks and assets”.

4) When discussing the story Information Week focuses in on Sophos as a security company, and if they “side-stepped secure coding practices and failed to embrace modern attack-mitigation technologies”

Now, with all that article verbiage quoted above, I think I can draw some succinct themes that span all three trending topics.

The news media (at least) is expecting people who have any type of sensitive information to be protecting it, and keeping those protections up to date.

That protection should reflect “modern” understanding of technologies and defense in depth.

Executives (or governors) are expected to be able to speak, at least generally, to these topics, or have someone else (who can) do the talking.

Organizations that hold large amounts of sensitive data in trust, such as governments and security companies are expected to be more responsive and protective of that sensitive data.

When a something considered a security issue is uncovered, the responsible organization should have a fast acting response to explain the problem and solve it in the field expediently. In the Sophos case, Travis posits that a response that takes longer than a month is a problem.

Where does this fall down today?

Although moreCISOs and CSOsreport to the boardthan ever before, that categorically does not mean the board or the Chief Executive, or his executive staff is aware of the technical details of security. In fact, that’s something I would consider an open question. Should an executive or governor be expected to know these details?

The definition of sensitive data, as soon as you talk to a business or consumer, is probably much larger than that defined by law; and there is no effort I am aware of to close that gap in language. I personally suspect it would go poorly for your impacted organization, if you are in front of a new camera trying to defend why you protected items as required by law; and not as perceived by the consumer; regardless of the legal obligations as defined by your state, country or regional law provisions.

Security professionals today identify lack ofqualified talent and lack of organizationalfunding as a key problem to their daily job; which probably implies that they are doing what they can with what they have; which likely may not meet the expectations identified in these trending articles.

There are possible forward looking statements we could therefore conclude.

If both news articles and law precedent are raising the expectations about what to do with sensitive data, your organization can chose whether to be an early or late adopter to those changing expectations.

As with all decisions, your organization needs to weigh the risks.

Being an early adopter probably means an increased investment in security, but a lower cost if a breach occurs. Given the security industry statement that it’s a when, not an if, this might be a good bet.

Being a slow adopter means that you defer the initial costs to increase security; but if this particular risk triggers, it’s likely be more expensive for slow adopters; and if the worst happens, could shut your business down due to expense or reputation damage if others in your space chose to be early adopters.